Mobile IPSEC Radius IP Assigment

djamp42

Is it possible to have radius give out IPs for users connecting via mobile IPSEC?  I have the authentication part working, but it seems no matter what settings we try pfsense does not give the assigned ip address to the user. This is with StrongSwan. 2.2.4.

I am using IAS for Radius, just wondering if anyone got this working.

Guest

Is it possible to have radius give out IPs for users connecting via mobile IPSEC?

In normal the VPN device is giving the new IP addresses to the IPSec clients and then the Radius
Server is authenticating the VPN clients over the certificates.

I have the authentication part working,

Ok this would be the hardest part as I see it right. If this is working it is only a
smaller tut for you to read and then you will be have it up and running well.

but it seems no matter what settings we try pfsense does not give the assigned ip address to the user.

Pleas see under the Link how to solve this out and enrich this by setting up the Radius Server address
in the IPSec settings! Please read this tutorial

jimp

@djamp42:

Is it possible to have radius give out IPs for users connecting via mobile IPSEC?

Not currently.

MaxHeadroom

It is possible but not via GUI and this option get lost on restart ipsec over GUI (```
ipsec reload

With this entry it works

rightsourceip=%radius

So maybe someone can add this option to the GUI:

VPN: IPsec: Mobile
->Virtual Address Pool as add point

best regards

MaxHeadroom

Hi
i patched my/etc/inc/ipsec.incthat if in Phase1 Auth.  method is EAP-RADIUS and in Mobile clients setting virtual address pool is not checked add ```
rightsourceip=%radius

For me it works now with a Android + strongSwan APP (IKEv2 EAP) and it  gets the ip from freeradius

best regards

[vpn.inc.zip](/public/_imported_attachments_/1/vpn.inc.zip)

jimp

Can you post that as a text diff, rather than a .zip? I'd like to try it but I'd rather not replace the entire file.

ajrg

This is an interesting patch - I would also be interested in the diff!

ajrg

@MaxHeadroom:

gets the ip from freeradius

While I'm thinking about it - with this patch, are you defining IP addresses for already existing (on pfSense) networks? Only reason I ask is that you are turning off the virtual network option.

MaxHeadroom

Hi,

sorry for the delay, here is the Patch for IP getting from the radius and no they are not already existing networks on the pfsense. It only that the radius server submit the ip .

I also have a second Patch same like first patch + change from IKEv2 EAP to IKV2 Certificate +EAP just add rightauth2 and change a little bit  for the generate of```
/var/etc/ipsec/ipsec.conf

I havn't changed the selectable name on the Gui, maybe it is better to add another option ? (better someone who is already knowing how this stuff works can do this )

With both patches the IPSec tunnel is working with  IPSec Freeswan on Android very well.
For security reason i like certs also on client  8) 

Oh sorry i forgott to say: you have to unset **virtual address pool** for the static  ip from radius (Don't forget to set a user ip on the radiusserver!)

BR
markus

[vpn.inc.patch.zip](/public/_imported_attachments_/1/vpn.inc.patch.zip)
[vpn.inc.patch2.zip](/public/_imported_attachments_/1/vpn.inc.patch2.zip)

jimp

The second thing would definitely needs its own, separate GUI choice since it isn't compatible with the current eap-radius selection.

The IP address pulling bit works OK, though I was disappointed to find that it doesn't look like strongSwan has a way to fall back to a local pool if there is no IP address in RADIUS. There is a way to specify multiple items in rightsourceip but it ends up using both at all times, not one then the other. For example if I use "%radius,x.x.x.0/24" it gives an address to the user from both RADIUS and the local pool.

I committed a variation of the IP address part here:
https://github.com/pfsense/pfsense/commit/86330e2b9ba85930a15a2cbd5ef7e7c3d0b3f814

The only negative side effect is that it would not allow someone to configure eap-radius and omit the pool entirely (hardcode IP addresses on the client) – I can't imagine anyone wanting to do that, but maybe someone does. Might still need a GUI checkbox.

ajrg

Sorry for the slow reply - running this patch on my home box and it works brilliantly, so thanks!

Out of interest, is this something that is likely to end up in the release, further down the road?

jimp

It's already in for 2.2.5 so it will be in a release shortly.

ajrg

Great stuff! :D

dcandea

Hi

I managed to make it also work with Mutual RSA and Xauth. Strongswan has support for xauth-radius

replace line

$rightsourceip = "\trightsourceip = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n";

with

$rightsourceip = "\trightsourceip = %radius\n";

and

$authentication .= "\n\trightauth2 = xauth-generic";

with

$authentication .= "\n\trightauth2 = xauth-radius";